From 9e2a74e9b50d8481f7976a7de9cd3982219bebd2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 13:56:48 +0000
Subject: [PATCH 1/5] Initial plan


From 6fbee193bdc8dc0d2fb62f03ab04e4e3fa63e537 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:01:36 +0000
Subject: [PATCH 2/5] feat: add OSSF Scorecard GitHub Actions workflow and
 update supply-chain verification

Co-authored-by: seonghobae <8172694+seonghobae@users.noreply.github.com>
Agent-Logs-Url: https://github.com/seonghobae/bandscope/sessions/ba935340-dbe2-4369-bee3-5b437786b486
---
 .github/workflows/ossf-scorecard.yml  | 37 +++++++++++++++++++++++++++
 scripts/checks/verify_supply_chain.py |  7 +++++
 2 files changed, 44 insertions(+)
 create mode 100644 .github/workflows/ossf-scorecard.yml

diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
new file mode 100644
index 0000000..a5c6e68
--- /dev/null
+++ b/.github/workflows/ossf-scorecard.yml
@@ -0,0 +1,37 @@
+name: ossf-scorecard
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '30 1 * * 1'
+  push:
+    branches:
+      - develop
+      - main
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: ossf-scorecard
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: ossf-scorecard-results
+          path: results.sarif
+          retention-days: 5
+      - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        with:
+          sarif_file: results.sarif
diff --git a/scripts/checks/verify_supply_chain.py b/scripts/checks/verify_supply_chain.py
index 2391a1c..a2938b8 100644
--- a/scripts/checks/verify_supply_chain.py
+++ b/scripts/checks/verify_supply_chain.py
@@ -16,6 +16,7 @@
     Path(".github/workflows/release.yml"),
     Path(".github/workflows/secret-scan-gate.yml"),
     Path(".github/workflows/build-baseline.yml"),
+    Path(".github/workflows/ossf-scorecard.yml"),
     Path("docs/security/dependency-policy.md"),
     Path("docs/security/sbom-policy.md"),
     Path("docs/security/code-security.md"),
@@ -156,6 +157,12 @@ def verify_workflow_coverage() -> list[str]:
         missing.append(
             "build workflow should not rely on macos-latest for architecture coverage"
         )
+    scorecard = read_workflow(
+        Path(".github/workflows/ossf-scorecard.yml"), "ossf scorecard", missing
+    )
+    for token in ["develop", "main", "push", "schedule", "ossf-scorecard"]:
+        if scorecard and token not in scorecard:
+            missing.append(f"ossf scorecard workflow missing token: {token}")
     return missing
 
 

From 93e19c644dd77f9a97aa5c77bfd14b818e6d6660 Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Wed, 25 Mar 2026 23:37:09 +0900
Subject: [PATCH 3/5] fix: remove unsupported branch_protection_rule trigger
 from ossf-scorecard workflow

The branch_protection_rule event is not supported by the ossf/scorecard-action
and causes unexpected behavior. Keep only push (develop, main) and weekly schedule.

Addresses CodeRabbit review comment on PR #82.
---
 .github/workflows/ossf-scorecard.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
index a5c6e68..8d56148 100644
--- a/.github/workflows/ossf-scorecard.yml
+++ b/.github/workflows/ossf-scorecard.yml
@@ -1,7 +1,6 @@
 name: ossf-scorecard
 
 on:
-  branch_protection_rule:
   schedule:
     - cron: '30 1 * * 1'
   push:

From 7889aaac6a3062e42e08c95147b0135cbd34b61c Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Wed, 25 Mar 2026 23:41:24 +0900
Subject: [PATCH 4/5] refactor: use extend() with generator in
 verify_workflow_coverage scorecard loop

Replace individual append() calls in the ossf scorecard token loop with
a single extend() using a generator expression, as requested in CodeRabbit review.
---
 scripts/checks/verify_supply_chain.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/scripts/checks/verify_supply_chain.py b/scripts/checks/verify_supply_chain.py
index a2938b8..80d6622 100644
--- a/scripts/checks/verify_supply_chain.py
+++ b/scripts/checks/verify_supply_chain.py
@@ -160,9 +160,12 @@ def verify_workflow_coverage() -> list[str]:
     scorecard = read_workflow(
         Path(".github/workflows/ossf-scorecard.yml"), "ossf scorecard", missing
     )
-    for token in ["develop", "main", "push", "schedule", "ossf-scorecard"]:
-        if scorecard and token not in scorecard:
-            missing.append(f"ossf scorecard workflow missing token: {token}")
+    if scorecard:
+        missing.extend(
+            f"ossf scorecard workflow missing token: {token}"
+            for token in ["develop", "main", "push", "schedule", "ossf-scorecard"]
+            if token not in scorecard
+        )
     return missing
 
 

From 98f1ab7742cbb680f8702fc828b557e483685b05 Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Wed, 25 Mar 2026 23:57:28 +0900
Subject: [PATCH 5/5] ci: re-trigger build runners